When FiOS was first launched by Verizon it was a glorious time. The city I live in (Keller, TX) was the first city in the nation to get FiOS!  It was fantastic.  The fastest stuff on the block was DSL from Verizon or AT&T at 1.5Mb/s down and 128 Kb/s up and it wasn’t reliable at all. FiOS came along rocking 15Mb/s down and 5Mb/s up.  It was incredible stuff at the time. Even Charter and Time Warner cable were only offering 2 or 3 megabits in the areas where they were actually available. Over the years Verizon upped the speed. You could even get full gigabit speeds in some areas. Then Frontier communications bought the Texas area, what was once glorious internet became average internet. The ping times are up, the jitter is up, and pretty much everything about the FiOS service that was great was now gone, with the exception of shear throughput.  So what does all of this have to do with putting a switch between the ONT and the router?

Putting a Switch between the FiOS ONT and Router

Sometimes you need to be able to prove to your ISP that the issue is on their end. Sometimes you need to prove to yourself that the issue on your end. Sometimes there are hardware or software problems with your router that can be mitigated by putting a device between them (such as the one where pfSense won’t reestablish WAN link after it fails). The great thing about having a switch between the ONT and the router is that it make it incredibly easy to mirror the ONT’s port and put a sniffer such as WireShark on the line to listen to packets in the wild.

This can be an incredibly effective way of seeing just what data is passing between the ISP and your network.  It’s also a great way to make sure your firewall or internal network is operating correctly. You may think your ISP is at fault only to learn your proxy server (think Squid) is acting up.

Option 1: Place a desktop switch between the ONT and the router

The obvious choice might be just to place a desktop switch between the ONT and the router. This option does work.  This will give you the ability to keep the WAN link on your router up and all times, even if the ONT fails.  For some hardware or software incompatibilities where you just don’t want the router to be aware the WAN link is down physically (such as the router is on UPS and the ONT is not. This is a great solution.  However, it will not give you the ability to mirror a port for traffic sniffing. These desktop class switches are also made with cheaper components which might impact performance, and they are more prone to failure.

Figure 1: Desktop Switch between the ONT and the Router

Figure 1: Desktop Switch between the ONT and the Router

Option 2: Use a WAN VLAN between the ONT and the router

Option 2 is the better, more robust solution, but it does require a VLAN capable switch and a little understanding of more complex networking scenarios. This option creates a Virtual LAN on two ports on a managed switch. Plug the ONT into one port and the WAN interface of the router into the other port.  This gives you the option to mirror either port to a third port on the switch allowing you to sniff traffic outside the firewall. If you have two routers in a CARP (failover) configuration you’d just add a 3rd port to this VLAN and connect both routers.  This would allow for failover in the case of a router failure.  Your ISP (Frontier FioS in my case) would not be aware that there is more than one router connected, because the devices share a virtual MAC address and the IP address that your ISP handed you via DHCP.

In this configuration it is critically important to make sure that there is no intra-VLAN traffic, as that could allow an attacker to bypass your firewall! These need to be untagged, completely segregated VLANs.

Figure 2: WAN VLAN between the ONT and the Router

Figure 2: WAN VLAN between the ONT and the Router

Additional Benefits of a Switch Between the ONT and the Router

There are few additional benefits of having a switch between the ONT and the router. Depending on how much you value your privacy and how far you want to take things:

  1. Your ISP will never know when your router goes off line, as the link will always be up (unless you reboot your switch).
  2. You can replace your router and the ONT will be completely unaware.
  3. Easier upgrades and future expansions of your network.
  4. If your router does not support SNMP, but your switch does, you can get traffic data on on your WAN usage to your Network Monitoring System (NMS).
  5. It’s easy to unplug your router and attach a laptop for testing if the case of WAN outage.

So there you have it. I currently run option 2 in my network using the WAN VLAN. This works extremely well and is the one I would recommend.

Some of you might be asking if you can plug more than one router into the ONT this way. Unless you’re using a CARP setup, or unless you have business account with multiple static IP addresses the answer is unfortunately no. Your ISP will not issue additional IP addresses to your network beyond the first one. All additional DHCP requests will be dropped.



8 Responses

  1. Sandy McCormick

    Mike, thank you so much for this article! I dug for hours on DSL reports unable to find any information on this. This is greatness!

  2. Bob Furgeson

    Oh my god. Thank you for such a simple explanation of how this works. I’ve been wanting to do this for a while and all my tech buddies kept telling me it wouldn’t work. I suspected that Verizon/Frontier would have no way of detecting such a setup. Thanks!!!

  3. Greg Kedge

    This sounds very interesting to me. I have purchased a VLAN capible router (mini PC to host pfsense) and a VLAN capable switch. I kinda get it and I certainly understand your proviso: “… it is critically important to make sure that there is no intra-VLAN traffic…”. Is there any elaboration for a VLAN initiiate to make sure we get this right? Even perhaps a link to an existing, pedestrian how-to. Thx for setting the seed!

    • Mike Murray
      Mike Murray

      Not really. Just make sure the only VLAN communicating on those ports is the WAN VLAN ID. Also, make the PVID of the ports the same VLAN ID.

      • George Reedy

        Mr Muray – I think I understand the VLAN / PVID statements. What about the switch IP parameters? What IP/Mask would one use on the switch? DLink DGS-1100-05. – gar

  4. Guy

    Hi Mike. I have an additional advantage for the switch in the middle; actually I put a switch at the ONT end and the other end of the connecting Ethernet cable connects to my home’s core switch. The advantage here is that I have Ethernet devices near my ONT in the garage that need connectivity (cameras etc) and I don’t want to have to run another Ethernet cable. I just use a different native VLAN to connect to the ONT as the other ports with inside devices on them and then just tag all the VLAN through the single “FIOS pulled” Ethernet cable. On the other end, I obviously have access to each of the VLANs as I need to handle them as the DMZ router and any internal devices. I get the same benefits that you describe in your article and also have no need for additional cable pulls for my cameras, but maintain L2 separation of the networks. More so, I don’t even have to port mirror, I can now just Mirror a VLAN and I can see or stat the ONT to Router traffic; kind of useful when sniffing to try figuring out how to handle the MOCA cable boxes without UPNP support in a Cisco router vs. the Actiontec supplied by FIOS :).
    Good note: With the switch method and your thought of switching routers, you can use the same MAC address for the two routers WAN side and same IP subnet as well as set BIA to MAC of Actiontec LAN side and easily swap between the two to compare sniffing traces without having to restart settop boxes as the ARP table still matches.
    However, I still physically shut or unplug one of the routers when doing this so there is no MAC conflict on my switching infrastructure.. But as you said, the switch keeps link up at the ONT so it never goes down either.


Leave a Reply